1) I don't understand whether I need to run the LnS service. I downloaded 2.05p2, do I need to download the service separately and run it? Why isn't it part of the 2.05p2 download?

2) Cisco VPN over UDP: I allowed the Cisco VPN client full access under "Application Filtering" Yet, when I try to connect LnS still blocks UDP packets to port 500. I have to put another rule under "Internet Filtering" to allow UDP 500 both ways for Cisco VPN client only. Why is that? It doesn't look like I have to do it for IE, I just allow it access in "App Filtering" and it works, it doesn't need extra rules for TCP 80, etc. I even tried specifying port 500 for the VPN client in the "Application Filtering" but it doesn't work without the extra rule in "Internet Filtering". Is this how it's supposed to work for UDP packets or is this a bug?

3) DLL monitoring: I have the Yahoo toolbar in IE but it certainly doesn't prompt me whether I want to allow that dll to access the Internet. The dll doesn't even appear in the list even though I have "Enable DLL detection" checked.

4) Does LnS support executable change detection? I've seen other firewalls that keep an MD5 of the executables and dll's and they warn you when they are updated. If not, what app would you recommend for this functionality together with LnS? Is it even an useful feature?

5) It does not look like LnS has the concept of trusted vs. non-trusted networks. Is the way to do it by adding custom rules in "Internet Filtering"?

6) What is this advanced option "Network interface autodetect, IP to exclude"? The help is not very ... helpful.

Re #2 above: I think I discovered a bug: If I set a dummy UDP port restriction (e.g. 345) in the "Application Filtering" rule for Cisco VPN client, the port restriction is ignored, the client can stiill send/receive packets on UDP ports 500 and 4500.

1) I don't understand whether I need to run the LnS service. I downloaded 2.05p2, do I need to download the service separately and run it? Why isn't it part of the 2.05p2 download?

Click to expand...

The service is not needed to use Look 'n' Stop in the standard way.
The service is just an additional feature to have Look 'n' Stop active before a user session is open under Win2000/XP.
It is not included in the 2.05p2 download because it's still in beta, since there is still some issues under XP.

2) Cisco VPN over UDP: I allowed the Cisco VPN client full access under "Application Filtering" Yet, when I try to connect LnS still blocks UDP packets to port 500. I have to put another rule under "Internet Filtering" to allow UDP 500 both ways for Cisco VPN client only. Why is that? It doesn't look like I have to do it for IE, I just allow it access in "App Filtering" and it works, it doesn't need extra rules for TCP 80, etc. I even tried specifying port 500 for the VPN client in the "Application Filtering" but it doesn't work without the extra rule in "Internet Filtering". Is this how it's supposed to work for UDP packets or is this a bug?

Click to expand...

Look 'n' Stop contains two parts, an Application Filtering layer and an Internet Filtering layer (which is a true packet filter).
The packet filter needs to be configured separately when some specific ports like UDP 500 need to be open.
You can import an UDP 500 rule from the following file:http://looknstop.soft4ever.com/Rules/NortelVPN.rie (since the Nortel VPN also requires the UDP 500 to be open).

3) DLL monitoring: I have the Yahoo toolbar in IE but it certainly doesn't prompt me whether I want to allow that dll to access the Internet. The dll doesn't even appear in the list even though I have "Enable DLL detection" checked.

Click to expand...

Are you sure the Yahoo toolbar connects directly ?
Usually this kind of DLLs just adds some extensions to IE but it is still IE (and its own DLLs) that does the connection.

4) Does LnS support executable change detection? I've seen other firewalls that keep an MD5 of the executables and dll's and they warn you when they are updated. If not, what app would you recommend for this functionality together with LnS? Is it even an useful feature?

Click to expand...

Yes, Look 'n' Stop detects signature changes.

5) It does not look like LnS has the concept of trusted vs. non-trusted networks. Is the way to do it by adding custom rules in "Internet Filtering"?

Click to expand...

If you want to allow a trusted network, you simply have to add a rule that will allow packets for a set of IPs (a range, a sub-network...).

6) What is this advanced option "Network interface autodetect, IP to exclude"? The help is not very ... helpful.

Click to expand...

This helps Look 'n' Stop to find the correct network interface to be monitored. The automatic selection is based on the IP address. If the IP address is in this exclude list, Look 'n' Stop considers the corresponding network interface is not the correct one and looks for another one. That's why you find be default address like 127.0.0.1, 192.168.0.1, 169.254.x.y, which are normally not used for the Internet connection.

That's why you find be default address like 127.0.0.1, 192.168.0.1, 169.254.x.y, which are normally not used for the Internet connection.

Click to expand...

I don't think 10 and 192.168.0.1 should be there. For example Netgear (wireless) routers use 192.168.0.x by default and it's certainly possible for someone to use 192.168.0.1 as the IP of the computer rather than the IP of the router. Same for the 10.x.x.x network, Apple and D-Link routers use it by default.

I think the default should only include 127.0.0.1 and 169.254 but of course it's not a big deal once you know where to look and what to fix, but initially for someone who's just getting started with LnS it may be strange.

What about this possible bug? Can you please confirm it is a bug and it will be fixed or if it's not a bug, what am I doing wrong?

I think I discovered a bug: If I set a dummy UDP port restriction (e.g. 345) in the "Application Filtering" rule for Cisco VPN client, the port restriction is ignored, the client can stiill send/receive packets on UDP ports 500 and 4500.

Click to expand...

As for the Yahoo toolbar question:

Are you sure the Yahoo toolbar connects directly ?
Usually this kind of DLLs just adds some extensions to IE but it is still IE (and its own DLLs) that does the connection.

Click to expand...

I am not sure how it works, maybe you can help me understand how the dll detection is done. I know that when IE starts the toolbar appears in it's uninitialized state and then when IE sends the first request to any site (or if you click Refresh in the Yahoo toolbar) the toolbar will connect to the Yahoo servers and update itself.

What about this possible bug? Can you please confirm it is a bug and it will be fixed or if it's not a bug, what am I doing wrong?

I think I discovered a bug: If I set a dummy UDP port restriction (e.g. 345) in the "Application Filtering" rule for Cisco VPN client, the port restriction is ignored, the client can stiill send/receive packets on UDP ports 500 and 4500.

Click to expand...

Click to expand...

There is no known issue there so far. Are you sure you specified the port for the right protocol (UDP or TCP) ? Are you sure it is really the application you configured that is using these ports ?
Sometimes with VPN applications, there are several executable connecting.

I am not sure how it works, maybe you can help me understand how the dll detection is done. I know that when IE starts the toolbar appears in it's uninitialized state and then when IE sends the first request to any site (or if you click Refresh in the Yahoo toolbar) the toolbar will connect to the Yahoo servers and update itself.

Click to expand...

The DLL detection only informs the DLLs that are involved directly in the connection. If the DLL is just loaded by IE, and the connection to the Yahoo server is done by IE and its own DLLs, it is normal that LnS doesn't detect it.